Security in Computing

Welcome to another deep dive. This time we're cracking Open Security and Computing fifth Edition Classic. It really is, yeah, and for any listeners who want to check it out themselves, you can find it with ISBN thirteen nine seven eight zero one three four zero eight five zero four to three okay or ISBN ten zero one three four zero

Yeah, and it's really cool because what's interesting about this book is that it's not just about the technical stuff right right, it's about how computers affect our lives, like everyday life and the choices we make exactly every single day.

Yeah, it's about you. So one thing that really caught my eye was the section on data integrity. And you know, it's one thing to think about typos and like, oh, you know, is the data accurate? But the book takes it way beyond that.

It does, and it should right because you're talking about bankings soon as you're talking about infrastructure, like this stuff needs to be right on point, because imagine a database where financial transactions are like reordered. It's just very subtly. Yeah, but in a way that benefits someone with malicious intent.

WHOA, Okay, so all the.

Numbers add up, the order's just different. Yeah, that's a huge integrity issue.

That's insidious. And the book also talks about i mean even on the hardware level, right, the pentium chip flaw.

Oh yeah, back in the day, the nineties. So Intel's pentium chip had a flaw where it would produce incorrect results for certain calculations. Yeah, and like you're thinking, well, how often does that really happen? Well, if you're doing like scientific modeling or financial analysis, any little error can snowball huge. You do a huge problem. Intel had to replace millions of chips, so yeah, they learned the hard.

Way extensive lesson. So then you know, it gets even a little bit more unsettling when the book delves into terrorism. Oh, terrorism in the digital age. And the thing that surprised me was that there are actually four ways, according to this book, that terrorists use computers. Yeah.

It's not just about like you know, building bombs or something, right, There's more to it than that computers are enablers, like if you think about the two thousand and eight moon by attacks, right, they use Google Earth, Oh wow, to plan. Imagine a tool.

That we use every day exactly for you know, getting directions to the grocery store.

Exactly. Crazy wild.

So besides being aware of, you know, these darker sides of technology and how it can be used, what can we do as individuals to protect ourselves? The book talks a lot about authentication, which I think is a very hot topic these days.

It is more than ever, especially with the rise of data breaches. Yeah, and it's more than just you know, remembering a really strong, complex password, right, it could be tough. So there are three ways to authenticate something you know, something you are, something you have.

Oh okay, I've heard that before, but bring that down for me.

Okay, So something you know that's like a password, something you are is like a biometric fingerprint, facial scan, and then something you have is a physical token like a keyfob. And we're seeing more companies using that, especially for sensitive accounts.

Right, multi factor authentication.

Right, right, exactly? Yeah, But the book also warns against you know, just adding more and more layers of authentication.

Really, I would think that more security equals more protection.

Yeah, you would think so, so what's the problem with that? Sometimes it can backfire really, Like there's this case study in the book about Ulster Bank, you know, their online banking system, and they implemented so many authentication factors that it actually made the system more vulnerable. Wow, because it created this really clunky and confusing user experience. Oh right, so customers were making.

Mistakes struggling to remember all their different passwords, right.

Oh, interesting, So yeah, they were making mistakes that actually weakened the system.

Okay, So it's not always about more is better, it's about finding the right balance. So once we are authenticated, we're in the system, how do we make sure we're only accessing what we're supposed to do?

Right?

Isn't that where access control comes in?

Access control? Think of it like the bouncer at the club. Okay, they're deciding who gets in and what they can access once they're inside. And we have all these different mechanisms simple list of users, or we have these complex role based systems.

So like some systems are like exclusive VIP areas and others are more open door exactly.

And there's a trade off between security and complexity. Right. So the more layers of access control, the more secure it is. But then it can slow things down and it's harder to manage.

Okay, so authentication, we're in access control. Now we're only seeing what we should be seeing. But what about keeping our data secret?

Encryption? Yeah, one of the most powerful tools for protecting in information. It's basically writing a message in code that only someone with the right key can read.

Right, Right, But there are different types of encryption.

Right, There are symmetric and asymmetric.

Okay, so what's the difference.

Symmetric encryption is using the same key for both encrypting and decrypting. Okay, So it's fast, it's efficient, but securely sharing.

That key, yeah, right, how do you do that?

It's tricky. So that's where asymmetric comes in.

Okay.

Asymmetric encryption uses two keys. You have a public key that you can share freely, and then a private key that's kept secret.

Oh interesting, Okay.

Anyone can encrypt a message using that public key, but only the person with the private key can decrypt it.

So it's like a mailbox with two slots, one for anyone to drop a letter in and one that only the owner can open perfect analogy. That makes a lot of sense. So asymmetric encryption is like having separate keys for sending and receiving messages, which makes it much easier. Right, but are there any downsides? I mean, there's gotta be right.

Well, asymmetric is generally slower and needs more processing power. It's like choosing between a speed scooter and a sturdy truck.

Yeah, okay, it depends on what you need exactly.

And then you know, even with the best encryption algorithms, there's always the risk of human error, right, exact sloppy implementation that can weaken the system.

Human factor always comes into play. So we've been talking about you know, individual computers and data, but what happens when we start connecting those to networks.

Oh yeah, that opens up a whole new can of worms. Networks, just like our bodies, they have weaknesses.

That can be exploited. Right, exactly what kind of weaknesses are we talking about here?

And one thing is if you think about microwave signals, those aren't confined by wires, right, so it's easier to intercept those signals. And then wireless networks themselves are vulnerable to things like MSc address spoofing.

Wait a minute, back up, what's MSc address spoofing?

So basically, an attacker disguises their devices network address. Oh okay, to make it look like a trusted device. He exactly like sneaking into a party with someone else's name attack. And then there are those denial of service attacks that we're always hearing about. Those are a huge network vulnerability and we're seeing a rise in these DDAs attacks. Distributed distributed, right, so the attack comes from multiple computers, making it super hard to defend.

Against, like a swarm of bees exactly coming from every direction.

And the book has a really crazy example of a DIDOS attack, does it. Yeah, this online gambling site is called bett Cross got hit by a massive DIDAS attack and get this, the attackers demanded a ransom to stop the attack, so.

They're holding the website hostage.

Basically yeah wow. Yeah.

So how do we protect against these network attacks because that sounds pretty scary.

Well, there are different levels of protection. You can encrypt the data as it travels across a specific link.

Between two offices or yeah.

Exactly, okay, Or you can do what's called end to end encryption, which protects the data all the way from the sender to the recipient.

Okay, got it. So it's like protecting the data in transit. But are there ways to prevent data loss even when it's not being transmitted?

Yeah?

I know the book talks about data loss prevention, but what exactly is that.

It's like a watchdog for your sensitive info. It uses all these technologies to detect and prevent sensitive data from leaving the organization.

Okay, so it's like accidentally emailing something or copying it to a USB drive exactly, or even printing it out exactly. Okay, so that's a big deal, especially these days with all these high profile data leaks. Oh yeah, absolutely, So DLP is like that last line of defense to stop those oops moments from turning into a pr night neer exactly. Well what about the cloud?

Oh yeah, the cloud?

It's so convenient it is. But are there security risks with storing our data in the cloud? I mean, are we making it more vulnerable?

You're essentially trusting a third party with your data. You got to trust that they have the right security measures in place, that they're handling it responsibly.

But you can't always guarantee that trust and I Remember the book actually had a good example of this with Dropbox. What happened there?

So back in twenty eleven, Dropbox had this coding error that basically disabled their authentication system. Oh no for several hours, No way, so anyone could have accessed any account during that time.

Yikes. So even a big reputable company like Dropbox right can have those vulnerabilities absolutely, and.

You have to think about you know, you've got attacks against shared resources, You've got insecure APIs.

Oh no, I need a little help here. What are insecure APIs?

So those are like the interfaces that allow applications to talk to each other. Okay, if those aren't secure, it creates vulnerabilities that attackers can exploit.

Okay, got it. So it's not just about choosing a trustworthy cloud provider. It's also understanding the security of that whole shared environment exactly.

And moving to the cloud doesn't mean you're off the hook. Yeah, you still need to do your due diligence, make sure the cloud provider meets your security needs.

It's like renting a car. You're responsible for driving it safely exactly, even though you don't own it.

Exactly.

Shared responsibility, shared responsibility Okay, so we've been focusing a lot on the technical aspects, but I want to shift gears a little bit to talk about privacy because it seems like that's a growing concern in this digital age, especially with all the data we're generating online.

Absolutely, privacy is not just a computer issue, right, right, But computers have definitely like amplified the risks.

They've changed the game they have. Yeah, it's not just about someone peeking into your diary. It's about vast amounts of data being collected, analyzed, often without our knowledge.

Right, and used in ways that we may not even realize.

Yeah, it's like big Brother is watching. But a lot of times it's not even the government, it's corporations.

Right.

So, what are some specific ways that computers are impacting our privacy?

Well, you got RFID tags, they're everywhere.

Yeah, those tiny little chip.

Credit cards, passports, they can be read wirelessly, often without our knowledge. So it's not just about our online activities. It's like our physical movements being tracked.

Right.

And then you've got those privacy policies, you know, those long, complicated documents.

Yeah, the ones I just click accept on and hope for the best, exactly but they probably say a lot of important stuff about how our data is being collected and shared.

Right, But even if you read them, sometimes they're written in a way that's hard to understand. Yeah, it's like this transparency paradox.

Right, how do you provide detailed information in a way that's both comprehensive but also user friendly? So what can we do to protect our privacy in this digital age? I mean, is it even possible?

It's not easy, but awareness is key. We can try to minimize our digital foot print. Use privacy focused browsers and search engines, be careful what we share online, actually read the key sections of those privacy policies.

Yeah, be informed. We have to be informed consumers, right, exactly of digital services and make choices. Okay, but even if we're careful about our own data, what about the security of the systems that we use? I mean, how can we be sure that those are protected from attack?

Security testing? You've got to find the flaws before the bad guys do.

I imagine that's pretty complex.

It is. It's not just checking if things work right, it's trying to break the system. Oh wow, thinking like an.

Attacker, So you're playing cat and mouse.

With the hackers kind of but with serious stakes. And the book talks about how, you know, the old school penetrate and patch method isn't enough anymore. You find a flaw, fix it, that's not going to cut it these days, right, right, security testing needs to be way more comprehensive, way more systematic.

Holistic approach, I guess.

Exactly, and it can just be a one time thing. You got to be constantly adapting to new.

Threats, so we have to be vigilant. But security isn't just about technology, right, It's about people and processes too.

You're absolutely right, and that's where security management comes in, having the right people, plans, procedures to manage and mitigate those security risks.

So it's like you got to have a plan, A, B, and C to deal with all the security challenges that are going to come our way, exactly. But even with all the plans and technology in the world, sometimes there are situations where there's no easy answer, absolutely right. So that's where ethics come in, right. This book really talks about that ethics being like the compass for those tricky situations, especially when the law is fuzzy, right, yeah.

Or inadequate and in the world of computer security. That's a lot.

So how do we make ethical decisions in this crazy digital world.

The book really emphasizes personal principles and responsible.

Action, thinking about the consequences not just for ourselves but for others. Right, Okay, So we've covered a lot of ground in this first part of our deep dive into security in computing. Data integrity, the role of computers and terrorism, authentication, access control, encryption, network vulnerabilities, data loss prevention, cloud security, privacy, security testing, and even ethics.

It's a lot, it is.

It's a lot to process, but I think it shows just how complex and important this field of computer security is.

Absolutely, it's always evolving.

Welcome back to our deep dive into security in computing. We just scratched the surface of this complex field. But now we're getting to the good stuff, the tools and techniques they use to protect our digital world.

Yeah, it's like peeking behind the curtain, seeing how the magic happens.

I love that analogy. And one of the most fundamental tools we have is encryption. We talked about it before, but this book goes deep into the nitty gritty of different algorithms.

Oh yeah, it gets pretty.

It really does. And it's fascinating how they work. We talked about those two main types, symmetric and asymmetric encryption, but the book mentions all these specific algorithms like a whole alphabet soup of acronyms. It's a little intimidating, I.

Know what you mean. It can be, but once you understand the basic principles, it's easier to see the bigger picture. Okay, so let's start with symmetric encryption. Does DES? RC two, RC four? Do those ring a bell?

Vaguely? I remember DES being like the old standard, but I'm fuzzy on the rest.

Right, DES the Data Encryption Standard. It was the go to for a long time, but these days it's been mostly replaced by AES, the Advanced Encryption Standard.

Okay.

Think of it like upgrading from a rotary phone to a smartphone.

Okay, so AES is the more modern, more robust version.

Gotcha, right?

What about those RC algorithms? Are they completely obsolete?

Not entirely. They're generally considered less secure than AES, but they still have their uses actually in situations where speed is more important than absolute security. Okay, Like you know, if you're encrypting a quick email RC four might be enough, but if you're dealing with like top secret government documents, you're going to want that heavy duty protection of AES.

Okay, So it's all about choosing the right tool for the job exactly. Speaking of different tools, the book also mentions this RC five, which seems a little unique.

Yeah. RC five is a bit different. It's called a fully parameterized block cipher, which basically means you can adjust the key length, of the block size, even the number of cycles, so you could really customize the level of security. It's like having an adjustable wrench for encryption.

I love that it's so much easier to grasp these concepts when you have a visual absolutely.

And it's interesting to note that RC five actually served as a model for RC six, which was one of the candidates considered for the AES standard.

Oh really, So the RC family has had quite an impact on the world of encryption.

Yeah, definitely.

Okay, so we've covered a lot of ground with symmetric encryption. What about AC symmetric encryption, that's the one with the public and private keys, right exactly.

And this cleverly solves that key distribution problem we talked about earlier with symmetric encryption, Sharing a secret key securely can be a real pain, especially in today's interconnected world.

Right It's like trying to whisper a secret in a crowded room without anyone overhearing.

Yeah, pretty much impossible.

Day much.

But with asymmetric encryption, you have two keys, a public key which you can share freely, and a private key which you keep super secret. Anyone can use your public key to encrypt a message for you, but only you with that private key can decrypt it.

So it's like having a mailbox with two slots, one for anyone to drop mail in and one that only the owner can open with their key.

Perfect analogy, and this system totally eliminates the need to share a secret key, making it so much more secure.

Right, that makes sense. So what are some of the common algorithms used for asymmetric encryption.

One of the most widely used as RSA. It's been around since the seventies and it's still considered extremely secure. It's based on the mathematical difficulty of factoring large prime numbers, okay, which trust me, is incredibly hard to do.

So rsay that name sounds familiar. It's like the gold standard for asymmetric encryption. Right.

Yeah, you could say that it's built to withstand some serious attacks.

So RSA is like Fort Knox. Okay, but are there any downsides to asymmetric encryption? Is there a trade off for that extra security?

There is? Generally speaking, asymmetric encryption is slower and requires more processing power than symmetric encryption.

Makes sense.

It's a bit like choosing between a speedy scooter and a sturdy but slower truck. It all depends on your needs and the resources you have available.

It's about finding that balance between security and efficiency, right exactly. So we've got encryption for keeping our data secret, but what about ensuring that data hasn't been tampered within transit. That's where hash functions come in, right.

You got it. Hash functions are like creating a digital fingerprint for your data. They generate this unique digest that represents the data, and if even a single bit of the data changes, the hash function will spit out a completely different digest, basically shouting, hey, something's wrong here.

So it's like a tamper proof seal.

Exactly, the seal is broken, you know something's up.

Okay, So for a hash function to be effective. What are the key characteristics that needs to have.

Well, first of all, it needs to be one way, meaning you can easily generate a digest from the data, but it's virtually impossible to go back from the digest to the original data.

It's like scrambling an egg. You can't unscramble it a perfect analogy. And secondly, a good hash function should be collision resistant, meaning it's incredibly difficult to find two different pieces of data that produce the same digest.

So uniqueness and irreversibility, got it now. The book mentions a few popular hash functions like MD five, SAHA one, and SAHA two five six. Are these just different brands of tamper proof seals?

Yeah, you could think of it that way. They all generate these unique digests, but some are considered more secure than others. MD five, for example, has been found to have some vulnerabilities, so it's not really recommended for applications where security is super important. Okay, SAHCHA one has also shown some weaknesses, so SAHA two five six are generally considered the more secure option.

Key days, so it's like choosing a lock for your front door. You wouldn't use a flimsy lock. If you're trying to protect your valuables, right, you'd go for the heavy duty one exactly.

And that brings us to an interesting topic. Elliptic curve cryptography or ECC for short. It's a relatively new type of public key cryptography that's gaining a lot of traction because it can provide the same level of security as RSA, but with much shorter keys.

Shorter keys. What's the advantage of that.

Well, shorter keys translate to faster processing times and less storage space required, which is a huge advantage in today's world of mobile devices in cloud computing where resources are often limited.

So it's like a more efficient version of RSA, smaller, faster, more compact. It sounds like a win win.

Yeah, it definitely has a lot of advantages. However, there's one example mentioned in the book, a specific ECC algorithm called dual EC that raised some serious security concerns.

Oh what happened there?

Well, DUALLYC was developed by the National Security Agency, the NSA, and they promoted it as a standard for generating random numbers used in encryption. But it turned out that duly C had a potential back door.

Wait, a backdoor you mean, like a way for someone to bypass the encryption.

Yeah, potentially someone with knowledge of certain secret parameters could predict the output of the algorithm and break the encryption. It says, having a lock with a hidden master key that only certain people know about.

That's unsettling to say the least, especially coming from an organization that's supposed to be at the forefront of cybersecurity.

Right. It definitely raised a lot of eyebrows, and it just goes to show that even when you're using these sophisticated algorithms, you need to be aware of their origins and potentially vulnerabilities.

So don't just blindly trust any algorithm, no matter how impressive it sounds.

Exactly do your research and understand the potential risks involved.

Okay, we've covered a lot of ground here, encryption algorithms, hash functions, even the potential for backdoors. But how do we stay informed about the broader security landscape? Because the world of cyber threats is constantly evolving, it seems like a never ending game of cat and mouse.

It is, and that's why it's so important to stay informed. One great way to do that is by keeping an eye on reports and surveys from organizations around the world that track security trends.

Okay, what are some examples.

Well, for instance, the Australian government publishes an annual Cybercrime and Security Survey which gives a really good snapshot of the cyber threat landscape in.

Australia, so it's like a barometer of cybercrime in that region. What about global resources.

There's the Deloitte Technology, Media, and Telecommunications Global Security Study.

Okay.

They survey executives from companies all over the world world to understand the security challenges they're facing and the strategies they're using. It's a great way to get insights into how organizations are approaching security on a global scale.

That sounds incredibly valuable. What kind of trends are they seeing.

Well, one interesting trend is that companies are shifting away from just focusing on regulatory compliance. Oh oh, okay, They're starting to develop more comprehensive security strategies and roadmaps, taking a more proactive approach to security, which is great to see.

It's encouraging to see that shift from reactive to proactive. Are there any other reports we should be paying attention to?

Absolutely, the global information security survey from Ernst and Young is a must read.

Ok.

They gather data from thousands of organizations worldwide and provide a detailed analysis of security threats, vulnerabilities, and overall trends shaping the landscape.

So it's like a global pulse check on the state of computer security exactly.

And keep in mind these reports and surveys are just the tip of the ice. There's a wealth of information out there, from industry blogs and forums to government agencies and security organizations.

Wow, it can feel little overwhelming, but I guess the key is to find the resources that are most relevant to our needs and make a habit of staying in.

Form absolutely, because computer security is not a spectator support. We all have a role to play in protecting ourselves and our data.

So true, and while we've delved deep into the technical aspects of encryption, hash functions and global security trends, I think one crucial takeaway is that the human element can't be overlooked.

Couldn't agree more. Technology is essential, but it's only as strong as the people.

Using it right, and that's where things like security awareness training come into play, which I think is a great segue into the next part of our deep dive where we'll explore how organizations can build a culture of security and empower their employees to be that first line of defense against cyber threats. Welcome back to our deep dive

You're absolutely right, even with the most sophisticated systems in place, a single careless click, a poorly trained employee that can create a vulnerability. It's like having this high tech security system for your home, but you leave the front door wide open.

It just makes it all pointless. Right, So how do we address this human element? What strategies does the book suggest?

One of the most effective strategies is security awareness training. It's all about educating users about the risks, the threats out there, and the best practices for staying safe online. We need to make security everyone's responsibility, yeah, not just the IT departments problem.

Right, empower employees to be that first line.

Of defense exactly. Think about it. One wrong click on a phishing email that can compromise an entire network. So equipping people with the knowledge and skills to make informed decisions, that's crucial.

It's like teaching people how to drive defensively, but in the digital world, be aware of your surroundings, anticipate those hazards, know how to react if something happens.

I love that analogy. And just like with defensive driving, security awareness requires constant practice, constant vigilance because that threat landscape it's constantly evolving. We've got to stay informed and adapt.

It's a continuous learning process, right. You can't just attend one training session and think you're good to go. But even with the best training, there's always the risk of those malicious insiders, right, the people who intentionally try to harm the organization from within. That's a scary thought.

It's legitimate concern, and it can be very tough to detect and prevent. That's why strong security policies, procedures, things like access controls, regular security audits, those are crucial, so checks.

And balances even for those we trust. But how do you create a culture of security where everyone really understands the importance of those best practices.

Out fostering that sense of shared responsibility. Making security a part of the company culture, not just a set of rules to follow. You encourage open communication about security concerns, recognize and reward good security practices.

So make it a value, not just a checkbox. This book has really opened my eyes to the complexity of computer security. We've covered so much, the technical side with encryption algorithms, the human side, the policies. It's a lot to consider.

It is, and it highlights that computer security is not a one time fix. It's a continuous process. It's constantly learning, adapting, and evolving.

We can't just set it and forget it. So, as we wrap up our deem dive into security and computing, what are some key takeaways for our listeners? What should they remember as they navigate this digital world?

First and foremost, security is everyone's responsibility. It's not just the IT department's job. Each of us needs to be aware of the risks, take those precautions, make smart choices when we're online right, be proactive exactly, and never underestimate that human element. Technology is important, but we are often the weakest link.

Invest in that security awareness training, be vigilant about those insider threats. Absolutely, because people, they're both the weakest link and the strongest asset when it comes to security.

Well said, And remember this field is always evolving. New threats pop up all the time. We need to stay informed, adapt, and never stop learning.

It's a journey, not a destination. Exactly so to our listeners, if you found this deep dive interesting, don't stop here. Dive deeper. There are tons of resources out there online, courses, certifications, industry events, keep learning and keep asking questions.

Curiosity is key in this field, that's.

For sure, well said. Thank you for joining us on this deep dive into security and computing. We hope you gain some valuable insights into this fascinating and crucial field. Until next time, stay safe online, stay informed, and keep diving deep.